CWE-434— Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.— MITRE CWE catalog
4,081 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-434page 53 of 82
- CVE-2024-40550HIGHCVSS 8.8EG 8.82024-07-12
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlaceMetaData of Public CMS v.4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-40551HIGHCVSS 8.8EG 8.82024-07-12
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-40553MEDIUMCVSS 4.9EG 4.92024-07-15
Tmall_demo v2024.07.03 was discovered to contain an arbitrary file upload via the component uploadUserHeadImage.
- CVE-2024-40555MEDIUMCVSS 5.3EG 5.32024-07-15
Tmall_demo v2024.07.03 was discovered to contain an arbitrary file upload vulnerability.
- CVE-2024-40645HIGHCVSS 8.8EG 8.82024-07-31
FOG is a cloning/imaging/rescue suite/inventory management system. An improperly restricted file upload feature allows authenticated users to execute arbitrary code on the fogproject server. The Rebranding feature has a check on the client…
- CVE-2024-40691HIGHCVSS 8.0EG 8.02024-12-03
IBM Cognos Controller 11.0.0 and 11.0.1 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files i…
- CVE-2024-40693HIGHCVSS 8.0EG 8.02025-01-24
IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the…
- CVE-2024-40695HIGHCVSS 8.0EG 8.02024-12-20
IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and…
- CVE-2024-40744CRITICALCVSS 9.8EG 9.82024-12-04
Unrestricted file upload via security bypass in Convert Forms component for Joomla in versions before 4.4.8.
- CVE-2024-41339HIGHCVSS 8.8EG 9.82025-02-27
An issue in the CGI endpoint used to upload configurations in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 pri…
- CVE-2024-41340HIGHCVSS 8.4EG 8.42025-02-27
An issue in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5…
- CVE-2024-41454MEDIUMCVSS 6.5EG 6.52025-01-15
An arbitrary file upload vulnerability in the UI login page logo upload function of Process Maker pm4core-docker 4.1.21-RC7 allows attackers to execute arbitrary code via uploading a crafted PHP or HTML file.
- CVE-2024-41577CRITICALCVSS 9.8EG 9.82024-08-12
An arbitrary file upload vulnerability in the Ueditor component of productinfoquick v1.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.
- CVE-2024-41731LOWCVSS 3.1EG 3.12024-08-13
SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on th…
- CVE-2024-41913HIGHCVSS 8.8EG 8.82024-08-06
A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The firmware flaw does not properly sanitize User input.
- CVE-2024-4197CRITICALCVSS 9.9EG 9.92024-06-25
An unrestricted file upload vulnerability in Avaya IP Office was discovered that could allow remote command or code execution via the One-X component. Affected versions include all versions prior to 11.1.3.1.
- CVE-2024-42054MEDIUMCVSS 5.4EG 5.42024-07-28
Cervantes through 0.5-alpha accepts insecure file uploads.
- CVE-2024-42180LOWCVSS 1.6EG 1.62025-01-12
HCL MyXalytics is affected by a malicious file upload vulnerability. The application accepts invalid file uploads, including incorrect content types, double extensions, null bytes, and special characters, allowing attackers to upload and …
- CVE-2024-42375MEDIUMCVSS 4.3EG 4.32024-08-13
SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact…
- CVE-2024-42523HIGHCVSS 7.2EG 7.22024-08-23
publiccms V4.0.202302.e and before is vulnerable to Any File Upload via publiccms/admin/cmsTemplate/saveMetaData
- CVE-2024-42563CRITICALCVSS 9.8EG 9.82024-08-20
An arbitrary file upload vulnerability in ERP commit 44bd04 allows attackers to execute arbitrary code via uploading a crafted HTML file.
- CVE-2024-42640CRITICALCVSS 9.8EG 9.82024-10-11
angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be access…
- CVE-2024-42676HIGHCVSS 8.8EG 8.82024-08-15
File Upload vulnerability in Huizhi enterprise resource management system v.1.0 and before allows a remote attacker to execute arbitrary code via the /nssys/common/Upload. Aspx? Action=DNPageAjaxPostBack component
- CVE-2024-42767HIGHCVSS 7.2EG 7.22024-08-22
Kashipara Hotel Management System v1.0 is vulnerable to Unrestricted File Upload RCE via /admin/add_room_controller.php.
- CVE-2024-42777CRITICALCVSS 9.8EG 9.82024-08-21
An Unrestricted file upload vulnerability was found in "/music/ajax.php?action=signup" of Kashipara Music Management System v1.0, which allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2024-42778HIGHCVSS 8.8EG 8.82024-08-21
An Unrestricted file upload vulnerability was found in "/music/ajax.php?action=save_playlist" in Kashipara Music Management System v1.0. This allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2024-42779HIGHCVSS 8.8EG 8.82024-08-21
An Unrestricted file upload vulnerability was found in "/music/ajax.php?action=save_music" in Kashipara Music Management System v1.0. This allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2024-42780HIGHCVSS 8.8EG 8.82024-08-21
An Unrestricted file upload vulnerability was found in "/music/ajax.php?action=save_genre" in Kashipara Music Management System v1.0. This allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2024-42991HIGHCVSS 8.1EG 8.12024-09-03
MCMS v5.4.1 has front-end file upload vulnerability which can lead to remote command execution.
- CVE-2024-4306CRITICALCVSS 9.9EG 9.92024-04-29
Critical unrestricted file upload vulnerability in HubBank affecting version 1.0.2. This vulnerability allows a registered user to upload malicious PHP files via upload document fields, resulting in webshell execution.
- CVE-2024-43160CRITICALCVSS 10.0EG 10.02024-08-13
Unrestricted Upload of File with Dangerous Type vulnerability in BerqWP allows Code Injection.This issue affects BerqWP: from n/a through 1.7.6.
- CVE-2024-43243CRITICALCVSS 10.0EG 10.02025-01-07
Unrestricted Upload of File with Dangerous Type vulnerability in themeglow JobBoard Job listing job-board-light allows Upload a Web Shell to a Web Server.This issue affects JobBoard Job listing: from n/a through <= 1.2.6.
- CVE-2024-43249CRITICALCVSS 9.9EG 9.92024-08-19
Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form Pro allows Command Injection.This issue affects Bit Form Pro: from n/a through 2.6.4.
- CVE-2024-4345CRITICALCVSS 9.8EG 9.82024-05-07
The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'process' function in the 'startklarDropZoneUploadProcess' class in versions up to, and including, …
- CVE-2024-4349HIGHCVSS 7.3EG 6.32024-04-30
A vulnerability has been found in SourceCodester Pisay Online E-Learning System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /lesson/controller.php. The manipulation of the argument…
- CVE-2024-43656HIGHCVSS 8.8EG 8.82025-01-09
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root This issue affects Iocharger firmware for AC model chargers before version 24120701. Likelihood: Modera…
- CVE-2024-43657HIGHCVSS 8.8EG 8.82025-01-09
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root This issue affects Iocharger firmware for AC model chargers before version 24120701. Likelihood: High. …
- CVE-2024-43662MEDIUMCVSS 5.3EG 5.32025-01-09
The <redacted>.exe or <redacted>.exe CGI binary can be used to upload arbitrary files to /tmp/upload/ or /tmp/ respectively as any user, although the user interface for uploading files is only shown to the iocadmin user. This issue affect…
- CVE-2024-4389HIGHCVSS 8.8EG 8.82024-08-14
The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadFile function in all versions up to, and including, 3.1.1. This makes it possible for …
- CVE-2024-4397HIGHCVSS 8.8EG 8.82024-05-14
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_post_materials' function in versions up to, and including, 4.2.6.5. This makes it possibl…
- CVE-2024-44220MEDIUMCVSS 5.5EG 6.52024-12-12
The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2. Parsing a maliciously crafted video file may lead to unexpected system termination.
- CVE-2024-44598HIGHCVSS 8.8EG 8.82025-12-15
FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module.
- CVE-2024-44599HIGHCVSS 8.3EG 8.32025-12-15
FNT Command 13.4.0 is vulnerable to Directory Traversal.
- CVE-2024-44849CRITICALCVSS 9.8EG 9.82024-09-09
Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.
- CVE-2024-44871HIGHCVSS 7.2EG 7.22024-09-10
An arbitrary file upload vulnerability in the component /admin/index.php of moziloCMS v3.0 allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-4500MEDIUMCVSS 6.3EG 6.32024-05-05
A vulnerability was found in SourceCodester Prison Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /Employee/edit-photo.php. The manipulation of the argument userImage leads to u…
- CVE-2024-45076CRITICALCVSS 9.9EG 9.92024-09-04
IBM webMethods Integration 10.15 could allow an authenticated user to upload and execute arbitrary files which could be executed on the underlying operating system.
- CVE-2024-45136HIGHCVSS 7.8EG 7.82024-10-09
InCopy versions 19.4, 18.5.3 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution by an attacker. An attacker could exploit this vulnerability by uploadi…
- CVE-2024-45137HIGHCVSS 7.8EG 7.82024-10-09
InDesign Desktop versions 19.4, 18.5.3 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by uploading a …
- CVE-2024-45171HIGHCVSS 8.8EG 8.82024-09-05
An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper user input validation, it is possible to upload dangerous files, for instance PHP code, to the C-MOR system. By analyzing the C-MOR web interface, it w…
Map vulnerabilities like CWE-434 to your infrastructure
EchelonGraph correlates every CVE — across CWE-434 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →